Skip to content

Address security advisories for urllib3 and idna#507

Merged
weppos merged 2 commits into
mainfrom
vigilant-noyce-e8ae00
Jun 3, 2026
Merged

Address security advisories for urllib3 and idna#507
weppos merged 2 commits into
mainfrom
vigilant-noyce-e8ae00

Conversation

@weppos

@weppos weppos commented Jun 3, 2026

Copy link
Copy Markdown
Member

Summary

Addresses the open Dependabot security alerts. All three affect transitive runtime dependencies pulled in via requests (they are not used directly in this library), so this raises their minimum versions to the patched releases.

Severity Package Advisory Fix
High urllib3 CVE-2026-44432: decompression-bomb safeguards bypassed in the streaming API >=2.7.0
High urllib3 CVE-2026-44431: sensitive headers forwarded across origins in proxied redirects >=2.7.0
Medium idna CVE-2026-45409: crafted inputs to idna.encode() bypass the CVE-2024-3651 fix >=3.15

Changes

  • pyproject.toml: add lower-bound constraints urllib3 >=2.7.0 and idna >=3.15.
  • CHANGELOG.md: add an Unreleased / Security entry.

Verification

  • poetry lock resolves cleanly to urllib3 2.7.0 and idna 3.18 (both patched), alongside requests 2.34.2.
  • Full test suite passes (182 tests).

@weppos
Address security advisories for urllib3 and idna
a9248bb 
Raise the minimum versions of these transitive dependencies (pulled in
via requests) to pick up security fixes:

- urllib3 >=2.7.0 (CVE-2026-44431, CVE-2026-44432)
- idna >=3.15 (CVE-2026-45409)
@weppos weppos added the dependencies Pull requests that update a dependency file. label Jun 3, 2026
@weppos weppos self-assigned this Jun 3, 2026
@weppos weppos added the bug label Jun 3, 2026
@weppos
Update pyproject.toml
f98e71e 
Signed-off-by: Simone Carletti <weppos@weppos.net>
@weppos weppos merged commit b840eb6 into main Jun 3, 2026
3 checks passed
@weppos weppos deleted the vigilant-noyce-e8ae00 branch June 3, 2026 06:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@weppos weppos

Labels

bug dependencies Pull requests that update a dependency file.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@weppos